Lucene search

[email protected]NVD:CVE-2023-40621

HistorySep 12, 2023 - 3:15 a.m.

CVE-2023-40621

2023-09-1203:15:12

CWE-94

[email protected]

web.nvd.nist.gov

cve-2023-40621

unauthenticated attacker

vbscript injection

document

user prompt

6.3 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

LOW

Integrity Impact

LOW

Availability Impact

LOW

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:L

0.001 Low

EPSS

Percentile

20.7%

JSON

SAP PowerDesigner Client - version 16.7, allows an unauthenticated attacker to inject VBScript code in a document and have it opened by an unsuspecting user, to have it executed by the application on behalf of the user. The application has a security option to disable or prompt users before untrusted scripts are executed, but this is not set as default.

Affected configurations

NVD

Node

sappowerdesignerMatch16.7

References

me.sap.com/notes/3357163

www.sap.com/documents/2022/02/fa865ea4-167e-0010-bca6-c68f7e60039b.html